Bug 7613 - Users with more than one secondary group can't access a share with group permission
Summary: Users with more than one secondary group can't access a share with group perm...
Status: NEW
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: 3.5.3
Hardware: x86 Linux
: P3 normal
Target Milestone: ---
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-10 08:43 UTC by Felipe Domingos
Modified: 2018-04-03 11:23 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felipe Domingos 2010-08-10 08:43:07 UTC
I have some users with 3 groups, one group as primary and two as secondary group.

In the smb.conf I have some shares as:

[trf]
        path = /dados/trf             
        valid users = +trf            
        read only = No                
        wide links = yes              
        follow symlinks = yes

[gvr]
        path = /dados/gvr             
        valid users = +gvr            
        read only = No                
        wide links = yes              
        follow symlinks = yes

[ext]
        path = /dados/executivos
        valid users = +executivos
        read only = No

The command id returns:
# id felipe.domingos
uid=1226(felipe.domingos) gid=115(trf) groups=115(trf),119(executivos),110(gvr)

For my user I can access the share TRF and EXT, but i can't access the GVR share.

felipe@iron:~$ smbclient //SERVER/trf -U felipe.domingos
Enter felipe.domingos's password:
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.5.3]
smb: \> exit

felipe@iron:~$ smbclient //SERVER/ext -U felipe.domingos
Enter felipe.domingos's password:
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.5.3]
smb: \> exit

felipe@iron:~$ smbclient //SERVER/gvr -U felipe.domingos
Enter felipe.domingos's password:
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.5.3]
tree connect failed: NT_STATUS_ACCESS_DENIED

In my tests I realized that the order of groups makes difference, if I add another group as ctb, I get the result:

# id felipe.domingos
uid=1226(felipe.domingos) gid=115(trf) groups=115(trf),118(ctb),119(executivos),110(gvr)

felipe@iron:~$ smbclient //SERVER/trf -U felipe.domingos
Enter felipe.domingos's password:
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.5.3]
smb: \> exit

felipe@iron:~$ smbclient //SERVER/ctb -U felipe.domingos
Enter felipe.domingos's password:
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.5.3]
smb: \> exit

felipe@iron:~$ smbclient //SERVER/ext -U felipe.domingos
Enter felipe.domingos's password:
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.5.3]
tree connect failed: NT_STATUS_ACCESS_DENIED

felipe@iron:~$ smbclient //SERVER/gvr -U felipe.domingos
Enter felipe.domingos's password:
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.5.3]
tree connect failed: NT_STATUS_ACCESS_DENIED

I can access "trf" (primary group) and "ctb" (first secondary group), but I can't access the other share as "ext".
I think that is a problem when you have more than one group as secondary.

Other information:

I have two server with the same configuration, in the server with smbd Version 3.5.1 it's work very well.

The users are in LDAP. (The same users/server LDAP to two samba servers).

Tks.

Felipe